[Snort-sigs] Could someone test a rule for me please?
chas5873 at ...2420...
Wed Jul 9 16:09:56 EDT 2014
I've had a friend test my initial rule (the one in the first post), and
unfortunately it's not providing him with any alerts (unless he's done
something wrong!). I know there's the rule that you posted Joel, and after
doing some googling, I've realised it's been in the community rule set for
about ten years!
I'm curious to know however why my initial rule isn't working, since I
included the search for the content BitTorrent protocol paired with |0000
0000| - I'm a bit confused because looking at my Wireshark image I uploaded
to tinypic in one of the above posts, that made me assume it would work.
I'd really appreciate if someone could explain what was wrong with my rule
as I'm currently doing a fairly important project and need to understand
this to be honest!
On Mon, Jul 7, 2014 at 1:39 PM, Charlie Egan <chas5873 at ...2420...> wrote:
> Ah that makes sense now! Cheers for that Joel, appreciate it.
> On Mon, Jul 7, 2014 at 1:37 PM, Joel Esler (jesler) <jesler at ...3865...>
>> |13| means “look for 13, in hex (as opposed to ascii)” In Bitorrent,
>> this is the Protocol Name Length field. Which is always set to 19. (|13|
>> in hex). Then "protocol name" = “BitTorrent Protocol”.
>> *Joel Esler*
>> Open Source Manager
>> Threat Intelligence Team Lead
>> Vulnerability Research Team
>> On Jul 7, 2014, at 6:43 AM, Charlie Egan <chas5873 at ...2420...> wrote:
>> Sorry to be a pain guys, could somebody get back to me regarding my
>> last query?
>> On Thu, Jul 3, 2014 at 11:39 AM, Charlie Egan <chas5873 at ...2420...> wrote:
>>> No worries Nathan!
>>> Joel, I'm curious to what the |13| means in the content section? I
>>> can't figure it out when looking at the stream content image I uploaded
>>> above from Wireshark.
>>> Your rule looks a lot better than mine, with the extra depth which I've
>>> just read up about, so thanks for that.
>>> Out of curiousity though, would my initial rule have worked without
>>> giving out any false positives?
>>> On Wed, Jul 2, 2014 at 7:17 PM, lists at ...3397... <
>>> lists at ...3397...> wrote:
>>>> On 07/02/2014 12:56 PM, Joel Esler (jesler) wrote:
>>>> > I think Nathan may have missed the “BitTorrent protocol” part.
>>>> Without a doubt, I completely missed it. I profusely apologize
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs